Daily Digest

Massive 'TrapDoor' Supply Chain Attack Hits Open-Source; GitHub & Grafana Breached; Critical Drupal RCE Exploited

Massive 'TrapDoor' Supply Chain Attack Hits Open-Source; GitHub & Grafana Breached; Critical Drupal RCE Exploited

May 26, 2026
11 articles (7 new, 4 updated)
33 min read

Summary

This cybersecurity brief for May 26, 2026, covers a critical period marked by sophisticated supply chain attacks and significant data breaches. The headline event is the 'TrapDoor' campaign, a multi-faceted attack targeting npm, PyPI, and Crates.io to steal developer credentials and crypto wallets. The software development ecosystem was further shaken by source code breaches at both GitHub and Grafana Labs. Concurrently, a critical, actively exploited SQL injection vulnerability (CVE-2026-9082) in Drupal core put countless websites at risk. Other major events include a data breach at 7-Eleven claimed by ShinyHunters and a new 12-hour patching mandate from India's CERT-In in response to AI-driven threats.

Filter by Category

New Articles (7)

TrapDoor Supply Chain Attack Hits npm, PyPI, Crates.io, Stealing Crypto & Dev Secrets

CRITICAL

Sophisticated 'TrapDoor' Supply Chain Attack Steals Developer Credentials Across Multiple Open-Source Registries

A highly sophisticated, multi-repository supply chain attack dubbed 'TrapDoor' has compromised over 34 packages across npm, PyPI, and Crates.io. The campaign, which began on May 22, 2026, targets developers in the cryptocurrency, DeFi, and AI sectors. The malware is designed to steal a vast array of sensitive data, including AWS credentials, GitHub tokens, SSH keys, and cryptocurrency wallets. In a novel technique, the attackers are abusing AI coding assistants like Claude and Cursor to facilitate data exfiltration, representing a significant escalation in supply chain attack methodologies.

May 26, 2026
7 min read
supply chain attacknpmpypicrates.iocredential theft +4 more
TrapDoor Supply Chain Attack Hits npm, PyPI, Crates.io, Stealing Crypto & Dev Secrets

7-Eleven Confirms Franchisee Data Breach After ShinyHunters Claim

HIGH

7-Eleven Confirms Data Breach Affecting Franchisee Applicants Claimed by ShinyHunters Group

Convenience store giant 7-Eleven has confirmed a data breach impacting its franchisee application systems after the ShinyHunters cybercrime group claimed responsibility. The breach, discovered in April 2026, exposed the personal information of over 185,000 prospective franchisees. Exposed data includes names, addresses, and, in some cases, Social Security Numbers. ShinyHunters had previously attempted to ransom the data for $250,000 before leaking a 9.4GB archive.

May 26, 2026
4 min read
data breachshinyhunters7-elevensalesforceextortion +2 more
7-Eleven Confirms Franchisee Data Breach After ShinyHunters Claim

Microsoft Patches High-Severity SharePoint RCE Vulnerability (CVE-2026-45659)

HIGH

Microsoft Patches High-Severity Remote Code Execution Vulnerability in SharePoint Server

Microsoft has released patches for a high-severity remote code execution (RCE) vulnerability, CVE-2026-45659, affecting multiple versions of SharePoint Server. The flaw, rated with a CVSS score of 8.8, is caused by insecure deserialization of untrusted data. It allows an authenticated attacker with low-level 'Site Member' permissions to execute arbitrary code on the server with no user interaction, making it a critical threat for organizations running on-premise SharePoint.

May 26, 2026
5 min read
cve-2026-45659microsoftsharepointrcevulnerability +2 more
Microsoft Patches High-Severity SharePoint RCE Vulnerability (CVE-2026-45659)

India's CERT-In Mandates 12-Hour Patching for Critical Flaws in Response to AI-Driven Attacks

INFORMATIONAL

India's CERT-In Issues 12-Hour Patching Mandate for Critical Vulnerabilities Amid AI Threats

The Indian Computer Emergency Response Team (CERT-In) has released a new 38-page blueprint that mandates organizations to patch critical vulnerabilities in internet-facing systems within 12 hours of detection, where feasible. This aggressive timeline is a direct response to the growing threat of AI-assisted cyberattacks, which CERT-In warns can significantly shorten the time between vulnerability disclosure and exploitation. The new guidelines also require high-severity flaws to be fixed within five days.

May 26, 2026
4 min read
cert-inindiacybersecurity policyregulationpatch management +1 more
India's CERT-In Mandates 12-Hour Patching for Critical Flaws in Response to AI-Driven Attacks

DragonForce Ransomware Group Claims Attacks on Dutch Waste Firm and US Businesses

HIGH

DragonForce Ransomware Hits Dutch Waste Firm and US Businesses in New Campaign

The DragonForce ransomware group has claimed responsibility for a cyberattack on Saver NV, a Dutch waste management company, on May 25, 2026. The group is threatening to leak the company's data if a ransom is not paid. On the same day, DragonForce added two US-based firms, a business publication and an accounting firm, to its list of victims, indicating an active and geographically diverse campaign.

May 26, 2026
4 min read
ransomwaredragonforcedouble extortiondata leaksaver nv
DragonForce Ransomware Group Claims Attacks on Dutch Waste Firm and US Businesses

Bomco Data Breach Exposes SSNs, Financial, and Health Data of Over 800 Individuals

MEDIUM

Bomco Discloses Data Breach Exposing Social Security Numbers and Health Information

Bomco Inc., a Massachusetts-based aerospace manufacturer, has disclosed a data breach that occurred in June 2025. The breach, which took nearly a year to fully investigate and report, resulted in an unauthorized actor accessing files containing names, Social Security numbers, financial account details, and health records. Over 800 individuals across Massachusetts, Vermont, and Maine are known to be affected.

May 26, 2026
4 min read
data breachbomcopiiphissn +1 more
Bomco Data Breach Exposes SSNs, Financial, and Health Data of Over 800 Individuals

GitHub Confirms Source Code Breach Via Compromised Employee Device and Malicious VS Code Extension

HIGH

GitHub Suffers Source Code Breach Via Compromised Employee Device

GitHub, the world's largest code hosting platform, has confirmed it suffered a data breach that resulted in the theft of internal source code. The attackers gained access by compromising an employee's device with a weaponized Visual Studio Code extension. An estimated 3,800 internal repositories were exfiltrated. GitHub has stated that no customer-facing systems or data were impacted, but the incident highlights the significant threat of supply chain attacks targeting developers' tools.

May 26, 2026
4 min read
githubdata breachsource code leaksupply chain attackvs code +1 more
GitHub Confirms Source Code Breach Via Compromised Employee Device and Malicious VS Code Extension

Updated Articles (4)

Iranian APT 'Screening Serpens' Intensifies Espionage with New RATs Targeting US, Israel, and UAE

HIGH

Screening Serpens: Iranian APT Group Deploys New Malware in Geopolitically Timed Espionage Campaigns

Update:

The Iranian APT, also known as Nimbus Manticore, has evolved its tactics by employing SEO poisoning to distribute a new backdoor named 'MiniFast'. This marks their first observed use of SEO poisoning, creating fake software download pages (e.g., for Oracle SQL Developer) to trick users. The campaign, active from February to April 2026, now targets aviation and software companies across the U.S., Europe, and the Middle East. The group continues to leverage AppDomain hijacking, now described as DLL side-loading, to achieve persistence and evade detection, indicating a strategic shift from traditional phishing to more sophisticated inbound threat vectors.

May 22, 2026
Updated: May 26, 2026
6 min read
Screening SerpensAPTIranCyber EspionageUNC1549 +3 more
Iranian APT 'Screening Serpens' Intensifies Espionage with New RATs Targeting US, Israel, and UAE

‘Megalodon’ Campaign Hits 5,500+ GitHub Repos in Automated CI/CD Supply Chain Attack

CRITICAL

Automated 'Megalodon' Attack Compromises Over 5,500 GitHub Repos by Injecting Malicious CI/CD Workflows

Update:

The new article provides a hypothetical example of the malicious GitHub Actions workflow used for secret exfiltration, showing how attackers collect and send sensitive data to their servers. It also details additional mitigation strategies, such as using OpenID Connect (OIDC) for short-lived credentials and enforcing signed commits, to enhance security against such supply chain attacks. This adds valuable technical depth to the understanding of the attack methodology and defense.

May 24, 2026
Updated: May 26, 2026
6 min read
MegalodonSupply Chain AttackGitHubCI/CDInfostealer +2 more
‘Megalodon’ Campaign Hits 5,500+ GitHub Repos in Automated CI/CD Supply Chain Attack

Grafana Labs Source Code Stolen by 'CoinbaseCartel' in TanStack Supply Chain Attack Fallout

HIGH

Grafana Labs Confirms Source Code Theft by 'CoinbaseCartel' Extortion Group Following TanStack Supply Chain Compromise

Update:

Following the recent source code theft, Grafana Labs has provided an update on the incident. The company confirmed that its investigation found no customer data was exposed and its services remained undisrupted. Furthermore, Grafana Labs publicly announced its refusal to pay the ransom demanded by the attackers for the stolen codebase. This stance highlights their commitment to transparency and not engaging with extortionists, despite the continued threat of the stolen code being leaked.

May 24, 2026
Updated: May 26, 2026
6 min read
GrafanaCoinbaseCartelSupply Chain AttackData BreachSource Code Leak +2 more
Grafana Labs Source Code Stolen by 'CoinbaseCartel' in TanStack Supply Chain Attack Fallout

Drupal Core Flaw Under Mass Exploit: Critical SQL Injection Bug (CVE-2026-9082) Weaponized in 48 Hours

CRITICAL

CISA Warns of Active Exploitation of Critical Drupal SQL Injection Vulnerability CVE-2026-9082

Update:

The critical SQL injection vulnerability, CVE-2026-9082, continues to be actively exploited in the wild. Following CISA's earlier alert, the Cyber Security Agency of Singapore (CSA) has now also issued an advisory confirming widespread exploitation, emphasizing the urgent need for patching. The vulnerability, detailed in Drupal security advisory SA-CORE-2026-004, affects Drupal core versions from 8.9.0 up to 11.x when using a PostgreSQL database. While the SQL injection is specific to PostgreSQL, Drupal also advises all users, regardless of their database backend, to update due to other important third-party library fixes (Symfony, Twig) included in the same security releases. Administrators should prioritize updating and checking for signs of compromise.

May 25, 2026
Updated: May 26, 2026
5 min read
DrupalCVE-2026-9082SQL InjectionPostgreSQLCISA +2 more
Drupal Core Flaw Under Mass Exploit: Critical SQL Injection Bug (CVE-2026-9082) Weaponized in 48 Hours

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.